During a trust provisioning process, a manufacturer establishes secrets between a manufactured device and a customer before delivery. This process usually depends on long-term secret inputs from a customer and the manufacturer of the device that are used to derive the secrets to be put on the device, i.e., there is a component that is handling these long-term secret inputs and providing the device secrets as output. This component is usually a hardware security module (HSM).
A major threat in this scenario is that the HSM leaks information about long-term secrets through its output. This may happen in various ways including accidentally (programming error) or maliciously (maliciously crafted program). Thus, in many cases a thorough examination (with final certification) of the HSM code must be done before it can be used by the manufacturer for trust provisioning. With certification, the programming of the HSM is fixed. However, the required programming is usually different for every customer which leads to a large evaluation and certification effort.